The Libretro community, which develops and maintains the code for the popular RetroArch game console emulator and Linux distribution to create Lakka game consoles, awarned about the hacking of the project's infrastructure and vandalism in repositories.
In it report they comment that attackers were able to gain access to the buildbot and repositories on GitHub. Likewise, on GitHub, the attackers gained access to all the repositories of the Libretro organization using the account of one of the trusted participants of the project.
Activity of cybercriminals was limited to vandalism: they tried to delete the content from the repositories by placing an empty initial commit.
With which the attack deleted all the repositories featured in three of the nine lists from Libretro Github repositories.
We were the target of a premeditated cybercrime attack on our key infrastructure.
The hacker did the following damage:
- It accessed our buildbot server and stopped the nightly / stable buildbot services, and the netplay lobby service. At this time, Core Updater will not work. The websites for these have also become inaccessible for the time being
- He gained access to our Libretro organization on Github by posing as a very trusted member of the team and forced an initial blank commit with a fair percentage of our repositories, effectively deleting them. It managed to damage 3 of the 9 pages of the repositories. RetroArch and everything that precedes it on page 3 has been left intact before access was reduced.
We are still waiting for some kind of response or support from Github. We hope you can help us restore some of these shattered Github repositories to their correct state, and also help us reduce the identity of the attacker.
Fortunately, the developers they blocked the attempt before the attackers reached RetroArch's key repository.
As for the build server, the attackers damaged the services that generate the test and stable compilations, as well as those in charge of organizing network games (netplay lobby).
Attempts to replace some files were not logged or make changes to RetroArch builds and core packages.
Currently, the work of the Core Installer, Core Updater and Netplay Lobbie, as well as the sites and services related to these components (Update Assets, Update Overlays, Update Shaders) is broken.
We are still evaluating the situation, but going forward, we think it is probably best not to go ahead with the buildbot server that was compromised today. We had some long-term migration plans for the switch to a new server, but this was always delayed because we felt we were not ready for the migration.
The main problem that the project faced after the incident was the lack of an automated backup process.
The last backup of the buildbot server was made a few months ago. The developers explained the problems due to lack of money for the automatic backup system, due to the limited budget for infrastructure maintenance.
The developers do not intend to restore the old server, but to launch a new one, the creation of which was planned. In this case, builds for systems like Linux, Windows, and Android will run immediately, but it will take time to restore builds for specialized systems, such as game consoles and older MSVC builds.
This would mean that the most common builds for Linux / Windows / Android would be available immediately, but all specialized systems like consoles, old MSVC builds and all of that would have to wait later until we have successfully adapted it to the new system.
GitHub is supposed to, to which the corresponding request was sent, will help restore the content of clean repositories and identify the attacker. So far, we only know that the hack was done from the IP address 54.167.104.253, meaning the attacker was probably using a compromised AWS virtual server as an intermediate point.
If you want to know more about it, you can consult the note In the following link.